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Abstract 

Cryptographic protocols, such as protocols for secure function evaluation (SFE), have played a cru¬ 
cial role in the development of modem cryptography. The extensive theory of these protocols, however, 
deals almost exclusively with classical attackers. If we accept that quantum information processing is 
the most realistic model of physically feasible computation, then we must ask: what classical protocols 
remain secure against quantum attackers? 

Our main contribution is showing the existence of classical two-party protocols for the secure eval¬ 
uation of any polynomial-time function under reasonable computational assumptions (for example, it 
suffices that the learning with errors problem be hard for quantum polynomial time). Our result shows 
that the basic two-party feasibility picture from classical cryptography remains unchanged in a quantum 
world. 
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1 Introduction 


Cryptographic protocols, such as protocols for secure function evaluation (SFE), have played a crucial role in 
the development of modern cryptography. Goldreich, Micali and Wigderson 1381, building on the develop¬ 
ment of zero-knowledge (ZK) proof systems 14011^ . showed that SFE protocols exist for any polynomial¬ 
time function under mild assumptions (roughly, the existence of secure public-key cryptosystems). Research 
into the design and analysis of such protocols is now a large subfield of cryptography; it has also driven im¬ 
portant advances in more traditional areas of cryptography such as the design of encryption, authentication 
and signature schemes. 

The extensive theory of these protocols, however, deals almost exclusively with classical attackers. How¬ 
ever, given our current understanding of physics, quantum information processing is the most realistic model 
of physically feasible computation. It is natural to ask: what classical protocols remain secure against quan¬ 
tum attackers? In many cases, even adversaries with modest quantum computing capabilities, such as the 
ability to share and store entangled photon pairs, are not covered by existing proofs of security. 

Clearly not all protocols are secure: we can rule out anything based on the computational hardness of 
factoring, the discrete log |l65l, or the principal ideal problem ll43]l . More subtly, the basic techniques used 
to reason about security may not apply in a quantum setting. For example, some information-theoretically 
secure two-prover ZK and commitment protocols are analyzed by viewing the provers as long tables that 
are fixed before queries are chosen by the verifier; quantum entanglement breaks that analysis and some 
protocols are insecure against colluding quantum provers (Crepeau et al ., d). 

In the computational realm, rewinding is a key technique for basing the security of a protocol on the 
hardness of some underlying problem. Rewinding proofs consist of a mental experiment in which the ad¬ 
versary is run multiple times using careful variations of a given input. At first glance, rewinding seems 
impossible with a quantum adversary since running it multiple times might modify the entanglement be¬ 
tween its internal storage and an outside reference system, thus changing the overall system’s behavior. 

In a breakthrough paper, Watrous |[72l showed that a specific type of zero-knowledge proof (3-round, 
GMW-style protocols) can be proven secure using a rewinding argument tailored to quantum adversaries. 
Damgard and Eunemann Il24l showed that a similar analysis can be applied to a variant of Blum’s coin 
flipping protocol. Hallgren et al. 1461 showed certain classical transformations from honest-verifier to 
malicious-verifier ZK can be modified to provide security against malicious quantum verifiers. Some 
information-theoretically secure classical protocols are also known to resist quantum attacks ll^ 171 1^16^ . 
Finally, there is a longer line of work on protocols that involve quantum communication, dating back to 
Bennett and Brassard |!8|. Overall, however, little is known about how much of the classical theory can be 
carried over to quantum settings. See “Related Work”, below, for more detail. 

1.1 Our Contributions 

Our main contribution is showing the existence of classical two-party protocols for the secure evaluation of 
any polynomial-time function under reasonable computational assumptions (for example, it suffices that the 
learning with errors problem Il64l be hard for quantum polynomial time). Our result shows that the basic 
two-party feasibility picture from classical cryptography remains unchanged in a quantum world. The only 
two-party general SFE protocols which had previously been analyzed in the presence of quantum attackers 
required quantum computation and communication on the part of the honest participants (e.g. ETlITTll l. 

In what follows, we distinguish two basic settings: in the stand-alone setting, protocols are designed 
to be run in isolation, without other protocols running simultaneously; in network settings, the protocols 
must remain secure even when the honest participants are running other protocols (or copies of the same 
protocol) concurrently. Protocols proven secure in the universal composability (UC) model |[T3l are secure 
in arbitrary network settings, but UC-security is impossible to achieve in many scenarios. 
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Our contributions can be broken down as follows: 

General Modeling of Stand-Alone Security with Quantum Adversaries. We describe a security model 
for two-party protocols in the presence of a quantum attackers. Proving security in this model amounts 
to showing that a protocol for computing a function / behaves indistinguishably from an “ideal” protocol 
in which / is computed by a trusted third party, which we call the ideal functionality T. Our model is a 
quantum analogue of the model of stand-alone security developed by Canetti IIT^ in the classical setting. 
It slightly generalizes the existing model of Damgard et al. ^TT\ in two ways. First, our model allows 
for protocols in which the ideal functionalities process quantum information (rather than only classical 
functionalities). Second, it allows for adversaries that take arbitrary quantum advice, and for arbitrary 
entanglement between honest and malicious players’ inputs. Our model may be viewed as a restriction of 
the quantum UC model of Unruh ll68l to noninteractive distinguishers, and we use that connection in our 
protocol design (see below). We also discuss possible variants of quantum stand-alone models and initiate a 
study on their relationships, which connects to interesting questions in a broad scope. 

We show a sequential modular composition theorem for protocols analyzed in our model. Roughly, it 
states that one can design protocols modularly, treating sub-protocols as equivalent to their ideal versions 
when analyzing security of a high-level protocol. While the composition result of Damg&d et al. |[27l allows 
only for classical high-level protocols, our result holds for arbitrary quantum protocols. 

Classical Zero-knowledge Arguments of Knowledge Secure Against Quantum Adversaries. We con¬ 
struct a classical zero-knowledge argument of knowledge (ZKAoK) protocol that can be proven secure in 
our stand-alone model. Our construction is “witness-extendable” (Lindell i50l ). meaning that one can sim¬ 
ulate an interaction with a malicious prover and simultaneously extract a witness of the statement whenever 
the prover succeeds. Our security proof overcomes a limitation of the previous construction of (two-party) 
quantum proofs of knowledge (Unruh if/Oll ). which did not have a simulator for malicious provers. Such a 
simulator is important since it allows one to analyze security when using a proof of knowledge as a subpro¬ 
tocol. As in the classical case, our ZKAoK protocol is an important building block in designing general SFE 
protocols. 

The main idea behind our construction is to have the prover and verifier first execute a weak coin-flipping 
profocol fo generafe a public key for a special fype of encrypfion scheme. The prover encrypfs his wifness 
wifh respecf fo fhis public key and proves consisfency of his cipherfexf wifh fhe sfafemenf x using fhe ZK 
profocols analyzed by Wafrous |[72l . A simulator playing fhe role of fhe verifier can manipulafe fhe coin- 
flipping phase fo generafe a public key for which she knows fhe secref key, fhus allowing her fo exfracf 
fhe wifness wifhouf needing fo rewind fhe prover. A simulafor playing fhe role of fhe prover, on fhe ofher 
hand, cannof confrol fhe coin flip (fo our knowledge) buf can ensure fhaf fhe public key is nearly random. 
If fhe encrypfion scheme safisfies addifional properfies (fhaf can be realized under widely used laffice-lype 
assumpfions), we show fhaf fhe verifier’s view can nonefheless be faifhfully simulafed. 

Classical UC Protocols in a Quantum Context: Towards Unruh’s Conjecture. We show that a large 
class of protocols which are UC-secure against computationally bounded classical adversaries are also UC- 
secure against quantum adversaries. Unruh ll68l showed that any classical protocol which is proven UC- 
secure against unbounded classical adversaries is also UC-secure against unbounded quantum adversaries. 
He conjectured (roughly, see for the exact statement) that classical arguments of computational UC 
security should also go through as long as the underlying computational primitives are not easily breakable 
by quantum computers. 

We provide support for this conjecture by describing a family of classical security arguments that go 
through verbatim with quantum adversaries. We call these arguments “simple hybrid arguments”. They use 
rewinding neither in the simulation nor in any of the steps that show the correctness of simulationj^ 

'in general, it is hard to clearly define what it means for a security proof to “not use rewinding”. It is not enough for the 
protocol to have a straight-line simulator, since the proof of the simulator’s correctness might still employ rewinding. Simple 
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Our observation allows us to port a general result of Canetti et al. iTTSll to the quantum setting. We obtain 
the following: in the J^ziC-hybrid model, where a trusted party implementing ZKAoK is available, there exist 
classical protocols for the evaluation of any polynomial-time function / that are UC-secure against quantum 
adversaries under reasonable computational assumptions. As an immediate corollary, we get a classical 
protocol that quantum-UC emulates the ideal functionality J^qf for coin-flipping, assuming UC-secure ZK. 

New Classical UC Protocols Secure Against Quantum Attacks. We construct new two-party protocols 
that are UC-secure against quantum adversaries. Adapting ideas from Lindell ll50l . we show a constant- 
round classical coin-flipping protocol from ZK (i.e. in J^zK-hybrid model). Note that the general feasibil¬ 
ity result from above already implies the existence of a quantum-UC secure coin-flipping protocol, but it 
needs polynomially many rounds. Conversely, we can also construct a constant-round classical protocol 
for ZKAoK that is UC-secure against quantum adversaries, assuming a trusted party implementing coin¬ 
flipping, i.e. in the J^cf-hybrid model (essentially equivalent to the common reference string model, where 
all participants have access to a common, uniformly distributed bit string). This establishes the equivalence 
between Tzk and J^qf in the quantum UC model, which may be of independent interest, e.g., in simplifying 
protocol designs. It has also motivated a subsequent work by Fehr et el. |[34ll where they showed interesting 
connections between ideal functionalities in the quantum-UC model in a systematic way. 

Implications. The modular composition theorem in our stand-alone model allows us to get the general 
feasibility result below by combining our stand-alone ZKAoK protocol and the UC-secure protocols in 
J^zK-hybrid model: 

Under standard assumptions, there exist classical SFE protocols in the plain model (without a shared 
random string) which are stand-alone-secure against static quantum adversaries. This parallels the classic 
result of Goldreich, Micali and Wigderson 1381. 

The equivalence of zero-knowledge and coin-flipping functionalities in the UC model also has inter¬ 
esting implications. First, the availability of a common reference string (CRS) suffices for implementing 
quantum-UC secure protocols. Secondly, given our stand-alone ZKAoK protocol, we get a quantum stand¬ 
alone coin-flipping protocol. 

Independently of our work, Lunemann and Nielsen l54l . via a different route, also showed the exis¬ 
tence of classical two-party SFE protocols secure against quantum attacks. See the discussion at the end of 
“Related Work”. 

1.2 Related work 

In addition to the previous work mentioned above, we expand here on three categories of related efforts. 

Composition Frameworks for Quantum Protocols. Systematic investigations of the composition prop¬ 
erties of quantum protocols are relatively recent. Canetti’s UC framework and Pfitzmann and Waidner’s 
closely related reactive functionality framework were extended to the world of quantum protocols and ad¬ 
versaries by Ben-Or and Mayers Q and Unruh Il67ll68l . These frameworks (which share similar semantics) 
provide extremely strong guarantees—security in arbitrary network environments. They were used to ana¬ 
lyze a number of unconditionally secure quantum protocols (key exchange ||6l and multi-party computation 
with honest majorities fTl). However, many protocols are not universally composable, and Canetti ifT^ 
showed that classical protocols cannot UC-securely realize even basic tasks such as commitment and zero- 
knowledge proofs without some additional setup assumptions such as a CRS or public-key infrastructure. 

Damgard et al. ^TTl . building on work by Fehr and Schaffner |[32]| . proposed a general composition 
framework which applies only to secure quantum protocols of a particular form (where quantum commu¬ 
nication occurs only at the lowest levels of the modular composition). As noted earlier, our model is more 
general and captures both classical and quantum protocols. Recently, Maurer and Renner proposed a new 

hybrid arguments provide a clean, safe subclass of arguments that go through with quantum adversaries. 
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composable framework called Abstract Cryptography |[55l . and it has been adapted to analyzing quantum 
protocols as well |[2^ . 

Analyses of Quantum Protocols. The first careful proofs of security of quantum protocols were for key ex¬ 
change (Mayers IlSTl . Lo and Chau ||53l, Shor and Preskill |[66l . Beaver lO). Research on quantum protocols 
for two-party tasks such as coin-flipping, bit commitment and oblivious transfer dates back farther ifTTl lQl. 
though some initially proposed protocols were insecure ll57l . The first proofs of security of such proto¬ 
cols were based on computational assumptions 1281 ED- They were highly protocol-specific and it was not 
known how well the protocols composed. The first proofs of security using the simulation paradigm were 
for information-theoretically-secure protocols for multi-party computations assuming a strict majority of 
honest participants ll20l |22l Q ■ More recently, Dupuis et al. ll^ |3T1 constructed two-party quantum proto¬ 
cols for evaluating arbitrary unitary operations, which they proved secure under reasonable computational 
assumptions in a simulation-based definition similar to what we propose in this work. There was also a line 
of work on the bounded quantum storage model ll2^ l25l |32l |63 developed tools for reasoning about spe¬ 
cific types of composition of two-party protocols, under assumptions on the size of the adversary’s quantum 
storage. Many tools have been developed in recent years on modeling and analyzing composable security 
for protocols of device-independent quantum key-exchange and randomness expansion |[3^ 17X115^11^ . 

Straight-Line Simulators and Code-Based Games. As mentioned above, we introduce “simple hybrid ar¬ 
guments” to capture a class of straightforward security analyses that go through against quantum adversaries. 
Several formalisms have been introduced in the past to capture classes of “simple” security arguments. To 
our knowledge, none of them is automatically compatible with quantum adversaries. For example, straight- 
line black-box simulators ll49ll do not rewind the adversary nor use an explicit description of its random 
coins; however, it may be the case that rewinding is necessary to prove that the straight-line simulator is 
actually correct. In a different vein, the code-based games of Bellare and Rogaway [4J capture a class of 
hybrid arguments that can be encoded in a clean formal language; again, however, the arguments concerning 
each step of the hybrid may still require rewinding. 

Independent Work. Lunemann and Nielsen 1541 independently obtained similar results to the ones de¬ 
scribed here, via a slightly different route. Specifically, they start by constructing a stand-alone coin-flipping 
protocol that is fully simulatable against quantum poly-time adversaries. Then they use the coin-flipping 
protocol to construct a stand-alone ZKAoK protocol, and finally by plugging into the GMW construction, 
they get quantum stand-alone-secure two-party SFE protocols as well. The computational assumptions in 
the two works are similar and the round complexities of the stand-alone SFE protocols are both polynomial 
in the security parameter. Our approach to composition is more general, however, leading to results that also 
apply (in part) to the UC model. 

1.3 Future Directions 

Our work suggests a number of straightforward conjectures. For example, it is likely that our techniques 
in fact apply to all the results in CEOS (multi-party, adaptive adversaries) and to corresponding results in 
the “generalized” UC model ifT^ . Essentially all protocols in the semi-honest model seem to fit the simple 
hybrids framework, in particular protocols based on Yao’s garbled-circuits framework (e.g. |(Jl). It is also 
likely that existing proofs in security models which allow super-polynomial simulation (e.g., iiiiiim) 
will carry through using a similar line of argument to the one here. 

However, our work leaves open some basic questions: for example, can we construct constant-round ZK 
with negligible completeness and soundness errors against quantum verifiers? Watrous’s technique does not 
immediately answer it since sequential repetition seems necessary in his construction to reduce the sound¬ 
ness error. A quick look at classical constant-round ZK (e.g., |[35l ) suggests that witness-indistinguishable 
proofs of knowledge are helpful. Is it possible to construct constant-round witness-extendable WI proofs of 
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knowledge? Do our analyses apply to extensions of the UC framework, such the generalized UC framework 
of Canetti et al. llT6l ? Finally, more generally, which other uses of rewinding can be adapted to quantum 
adversaries? Aside from the original work by Watrous fflX . Damg&d and Lunemann ll24ll and Unruh iTOl 
have shown examples of such adaption. 


Organization. The rest of the paper is organized as follows: Section [previews basic notations and def¬ 
initions. In Section we propose our quantum stand-alone security model. We show our main result 
in Section]^ Specifically, Section 4.1 establishes quantum-UC secure protocols in J^zK-hybrid model. A 
quantum stand-alone-secure ZKAoK protocol is developed in Section [4^ Finally in Section]^ we discuss 
equivalence of J^zk and J^cf- 


2 Preliminaries 

For m G N, \m] denotes the set {1, ... ,ni}. We use n G IN to denote a security parameter. The security 
parameter, represented in unary, is an implicit input to all cryptographic algorithms; we omit it when it is 
clear from the context. Quantities derived from protocols or algorithms (probabilities, running times, etc.) 
should be thought of as functions of n, unless otherwise specified. A function f{n) is said to be negligible 
if / = o{n^‘^) for any constant c, and negl(n) is used to denote an unspecified function that is negligible in 
n. We also use poly{n) to denote an unspecified function f{n) = 0(n‘^) for some constant c. When D is 
a probability distribution, the notation x D indicates that x is a sample drawn according to D. When D 
is a finite set, we implicitly associate with it the uniform distribution over the set. If D (■) is a probabilistic 
algorithm, D{y) denotes the distribution over the output of D corresponding to input y. We will sometimes 
use the same symbol for a random variable and for its probability distribution when the meaning is clear 
from the context. Let X = {X„}„g]N and Y = {YnjneN be two ensembles of binary random variables. We 
call X, Y indistinguishable, denoted X « Y, if |Pr(X„ = 1) — Pr(y„ = 1)| < negl(n). 

We assume the reader is familiar with the basic concepts of quantum information theory (see, e.g., ill). 
We use a sans serif letter (e.g. X) to denote both a quantum register and the corresponding Hilbert space. 
We use X„ if we want to be specific about the security parameter. Let Hn denote the space for n qubits. 
Let D (X) be the set of density operators acting on space X and L (X, Y) be the set of linear operators from 
space X to Y. 

Quantum Machine Model. We adapt Unruh’s machine model in ll68l with minor changes. A quantum 
interactive machine (QIM) M is an ensemble of interactive circuits {Mx}x(zi- The index set J is typi¬ 
cally the natural numbers N or a set of strings I C {0,1}* (or both). We give our description here with 
respect to {M„}„g]N. For each value n of the security parameter, M„ consists of a sequence of circuits 
where defines the operation of M in one round i and l{n) is the number of rounds for 
which Mn operates (we assume for simplicity that £(n) depends only on n). We omit the scripts when they 
are clear from the context or are not essential for the discussion. Machine M (or rather each of the circuits 
that it comprises) operates on three registers: a state register S used for input and workspace; an output reg¬ 
ister 0; and a network register N for communicating with other machines. The size (or running time) f (n) 
of Mn is the sum of the sizes of the circuits Mn'^. We say a machine is polynomial time if f (n) = poly{n) 
and there is a deterministic classical Turing machine that computes the description of Mn'^ in polynomial 
time on input (1”, 1'). 

When two QIMs M and M' interact, they share network register N. The circuits Mn'^ and M'h^ are 
executed alternately for i = 1,2,£[n). When three or more machines interact, the machines may share 
different parts of their network registers (for example, a private channel consists of a register shared between 
only two machines; a broadcast channel is a register shared by all machines). The order in which machines 
are activated may be either specified in advance (as in a synchronous network) or adversarially controlled. 
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A non-interactive quantum machine (referred to as QTM hereafter) is a QIM M with network register 
empty and it runs for only one round (for all n). This is equivalent to the quantum Turing machine model 
(see El). 

A classical interactive Turing machine is a special case of a QIM, where the registers only store classical 
strings and all circuits are classical. This is also called an interactive Turing machine (ITM) with advice 
(Canetti EKH). 

Indistinguishability of Quantum States. Let p = and rj = {rjn}neiN be ensembles of mixed 

states indexed by n G N, where p„ and tjn are both r(n)-qubit states for some polynomially bounded 
function r. We first define a somewhaf weak notion of indistinguishability of quantum state ensembles. 

Definition 2.1 ((f, e) -weakly indistinguishable states). Wh say two quantum state ensembles p = {jOnjneN 
and rj = {qn}neK (^^e (f, £)-weakly indistinguishable, denoted p V’ if for every t{n)-time QTM Z, 

\Vr[Z{pn) = l]-Vr[Z{qn) = l]\<e{n). 

The states p and q are called weakly computationally indistinguishable, denoted p ^zuqc V’ 
ery polynomial t{n), there exists a negligible e(n) such that and q„ are (f,£)-weakly computationally 
indistinguishable. 

A stronger notion of indistinguishability of quantum states was proposed by Watrous E2l Definition 2]. 
The crucial distinction is that a distinguisher is allowed to take quantum advice. 

Definition 2.2 ((f,£)-indistinguishable states). 'We say two quantum state ensembles p = {pnjngN ond 
V — {Vn}neK ore {t,e)-indistinguishable, denoted p q, if for every t{n)-time QTM Z and any mixed 
state an, 

\Fr[Z{pnZa„) = 1] -Pr[Z{qnZa„) = 1]| < e{n). 

The states p and q are called quantum computationally indistinguishable, denoted p if for every 

polynomial t{n), there exists a negligible e(n) such that pn and qn are (f, e)-indistinguishable. 

The two definitions above subsume classical distributions as a special case, since classical distributions 
can be represented by density matrices that are diagonal with respect to the standard basis. 
Indistinguishability of Quantum Machines. Now we introduce the notion of distinguishing two QTMs. 

Definition 2.3 ((f, e)-indistinguishable QTMs). We say two QTMs M\ and M 2 are (f, e)-indistinguishable, 
denoted Mi M 2 , if for any t{n)-time QTM Z and any mixed state an G D (S^ ® Rn). where is an 
arbitrary reference system. 


Fr[Z{{MiZ\^^))an) = 1] -Pr[Z{{M 2 an) = 1] 


< e{n). 


Machines Mi and M 2 are called quantum computationally indistinguishable, denoted Mi M 2 , if 
for every polynomial t{n), there exists a negligible e{n) such that Mi and M 2 are {t,£)-computationally 
indistinguishable. 


This definition is equivalent to quantum computationally indistinguishable super-operators proposed by 
Watrous E2l Definition 6]. If we do not restrict the running time of the distinguisher, we obtain a statistical 
notion of indistinguishability. Let TD(-, •) be the trace distance between density operators. 

Definition 2.4 (e-indistinguishable QTMs in diamond norm). We say two QTMs Mi and M 2 are e-indistinguishable 
in diamond norm, denoted Mi M 2 , if for any cr^ G D (S„ (S' Rn). R being an arbitrary reference system, 

TD[(Mi (g) \(^R))a„, {M 2 Z lL(R))c"n] < £{n) ■ 

QIMs Ml and M 2 are said to be indistinguishable in diamond norm, denoted Mi M 2 , if there exists a 
negligible e{n) such that Mi and M 2 are e-indistinguishable in diamond norm. 




Indistinguishability of QIMs. Next, we generalize the definitions of indistinguishability above to inter¬ 
active quantum machines. Let Z and M be two QIMs, we denote [Z{a),M) as the following process: 
machine Z is initialized with a, it then provides input to M and interacts with M. In the end, the output 
register of M is given to Z and Z generates one classical bit on its own output register. 

Definition 2.5 ((f, e)-indistinguishable QIMs), We say two QIMs Mi and M 2 are {t, e)-interactively indis¬ 
tinguishable, denoted Mi M 2 , if for any quantum t{n)-time interactive machine Z and any mixed state 
cr„ on tin) qubits, 

\Vr[{Z{an),Mi) = l]-^r[{Z{an),Mi) =l]\<e{n). 

QIMs Ml and M 2 are called quantum computationally interactively indistinguishable, denoted Mi 
-^ 2 , if for every t{n) < poly{n), there exists a negligible e(n) such that Mi and M 2 are (t, e)-interactively 
indistinguishable. 

We may call such Z an interactive distinguishes We can likewise define statistically interactively indistin¬ 
guishable QIMs, denoted Mi ^qsi ^ 2 , if we allow unbounded interactive distinguisher Z. 

Remark 1. Quantum interactive machines, as we defined earlier, actually can be seen as a subset of quantum 
strategies, formulated in 1441 . Namely, a QIM is a strategy in which each channel can be implemented by 
a uniformly generated circuit. Therefore we can as well define statistically interactively indistinguishability 
using the || • ||o^ norm for quantum strategies. See Gutoski ll4^ and Chiribella et al. ifTTIl for details about 
characterizing distinguishability of quantum strategies using the || • ||or norm. 

Ideal functionalities. We sketch ideal functionalities, i.e., the programs of a trusted party in an ideal proto¬ 
col, for a few basic cryptographic tasks. 

• Commitment At “Commit” stage, Alice (the committer) inputs a bit b and Bob (the receiver) 

receives from J^cdm a notification that a bit was committed. At “Open” stage, Alice can input the command 
open to J^cDM who then sends Bob b. 

• Oblivious Transfer IFai- Alice (the sender) inputs 2 bits (sq, Si) and Bob (the receiver) inputs a selection 
bit c G {0,1}- Bob receives Sc from IFqj. 

7 

• Zero-knowledge Let R^. be an NP relation. Upon receiving [x, w) from Alice, IFzk verifies {x, w) G 
Rl- If yes, it sends x to Bob; otherwise it instructs Bob to reject. 

• Coin Flipping IFcf- Alice and Bob input the request 1” to J^cF^ and Tcf randomly chooses r ^ {0,1}” 
and sends it to Alice. Alice responds J^cf with “acc” or “rej” indicating continuing or aborting respectively. 
In the case of “acc”, IFcf sends r to Bob and otherwise sends Bob _L. Note the functionality is asymmetric 
in the sense that Alice gets the coins first. This avoids the complicated issue about fairness, which has been 
an active line of research in classical cryptography (see for example |[T^l^l59llTO i and is beyond the scope 
of this paper. 

3 Modeling Security in the Presence of Quantum Attacks 

In this section, we propose a stand-alone security model for two-party protocols in the presence of quantum 
attacks and show a modular composition theorem in this model, which allows us to use secure protocols as 
ideal building blocks to construct larger protocols. We also discuss variants of our stand-alone model in a 
unified framework. To be self-contained, we review in SectionjT^the quantum universal-composable (UC) 
security model, which is a generalization of classical UC model to the quantum setting. 
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3.1 A General Quantum Stand-Alone Security Model 


Our model follows the real-world/ideal-world simulation paradigm. It proceeds in three high-level steps: 
(i) Formalizing the process of executing a protocol in the presence of adversarial activities, (ii) Formalizing 
an ideal-world protocol for realizing the desired task. This is an (imaginary) idealized protocol which 
captures the security guarantees we want to achieve, (iii) Finally we say a (real-world) protocol realizes a 
task securely if it “behaves similarly” to the ideal-world protocol for that task (Definition |3.3| ). “Behaving 
similarly” is formalized by the notion of stand-alone emulation between protocols (Definition |3 .1 [ [T2| ) . 

Our definition can be viewed in two ways: either as a quantum analogue of Canetti’s classical stand¬ 
alone model ifT^ or as a relaxed notion of (a variant of) Unruh’s quantum UC security Il6^ . Prior to 
our work, stand-alone security definitions for quantum attacks were largely developed ad ho^ the first 
systematical treatments appear in ll^l27]| . Our model generalizes the existing model of Damg&d et al. llTTl 
in two ways. First, our model allows protocols in which the functionalities can process quantum information 
(rather than only classical functionalities). Second, it allows adversaries that take arbitrary quantum advice, 
and for arbitrary entanglement between honest and malicious players’ inputs. This distinction is reflected 
in the composability that the model provides (see details in Section [3.1.2 1 . While the composition results of 
Damg&d et al. allow only for classical high-level protocols, our result holds for arbitrary quantum protocols. 


3.1.1 The Model 

We describe our model for the two-party setting; it is straightforward to extend to multi-party setting. We 
first introduce a few important objects in our model. We formalize a cryptographic task by an interactive 
machine called & functionality. It contains the instructions to realize the task, and we usually denote it by T 
or Q. While our model applies to both classical and quantum functionalities, our focus in this work will be 
efficient classical functionalities. Namely is a classical probabilistic polynomial-time machine. A two- 
party protocol for a task T consists of a pair of interactive machines {A, B). We call a protocol poly-time 
if {A,B) are both poly-time machines. We typically use Greek letters (e.g., FI) to denote protocols. If we 
want to emphasize that a protocol is classical, i.e., computation and all messages exchanged are classical, 
we then use lower-case letters (e.g., n). Finally, an adversary, usually denoted A or S, is another interactive 
machine that intends to attack a protocol. Very often we abuse notation and do not distinguish a machine 
and the player that runs the machine. This should not cause any confusion. 

Protocol Execution. We consider executing a protocol FI = (A, B) in the presence of an adversary A. 
Their state registers are initialized by a secure parameter 1” and a joint quantum state cr„. Adversary A gets 
activated first and coordinates the execution. Specifically, the operations of each party are: 

• Adversary A: it may either deliver a message to some party or corrupt a party. Delivering a message 
is simply instructing the designated party (i.e., the receiver) to read the proper segment of his network 
register. We assume all registers are authenticated so that A cannot modify them and in particular if 
the register is private to the party, A may not read the content. Other than that, A can for example 
schedule the messages to be delivered in any arbitrary way. If A corrupts a party, the party passes all 
of its internal state to A and follows the instructions of A. In the two-party setting, corrupting a party 
can be simply thought of as substituting the machine of A for the machine of the corrupted party. 

• Parties in FI: once a party receives a message from A, it gets activated and runs its machine. At the 
end of one round, some message is generated on the network register. Adversary A is activated again 
and controls message delivery. At some round, the party generates some output and terminates. 

^E.g., Fehr and Schaffner OH write: ”It is still common practice in quantum cryptography that every paper proposes its own 
security definition of a certain task and proves security with respect to the proposed definition. However, it usually remains unclear 
whether these definitions are strong enough to guarantee any kind of composability, and thus whether protocols that meet the 
definition really behave as expected.” 
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Clearly, we can view El and ^ as a whole and model the composed system as another QIM, call it 
Then executing IT in the presence of A is just running Mn,^ on some input state, which may be 
entangled with a reference system that will be handed to the distighuisher. 

Protocol Emulation. As indicated earlier, a secure protocol is supposed to “emulate” an idealized protocol. 
Here we formally define emulation between protocols. Let LI and T be two protocols. Let Mn,yt be the 
composed machine of LI and an adversary A, and Mr ,5 be that of L and another adversary S. Informally, 
n emulates L if the two machines Mu,A Mr,s are indistinguishable. 

Definition 3.1 (Computationally Quantum-Stand-Alone Emulation). Let LI and L be two poly-time proto¬ 
cols. Ale say LI computationally quantum-stand-alone (C-QSA) emulates L, if for any poly-time QIM A 
there exists a poly-time QIM S such that Mu,A ^qc My,s ■ 

Definition 3.2 (Statistically Quantum-Stand-Alone Emulation). Let LI and L be two poly-time protocols. 
We say LI statistically quantum-stand-alone (S-QSA) emulates L, if for any QIM A there exists an QIM S 
that runs in poly-time of that of A such that Mu,A Mi^s- 



Eigure 1: Quantum stand-alone emulation between protocols. 


Remark 2. (i) The adversary S is usually called a simulator because typical constructions of S simulate the 
given A internally, (ii) In the statistical setting, we require the complexity of S and A to be polynomially 
related. This ensures that the statistical notion actually implies the computational one. See Canetti ifT^ for 
discussion of this issue in the classical context. 


Ideal-world Protocol and Secure Realization of a Functionality. We formalized protocol emulation in 
a general form which applies to any two protocols. But it is of particular interest to emulate a special type 
of protocol which captures the security guarantees we want to achieve. We formalize the so-called ideal- 
world protocol LI/- for a functionality A. In this protocol, two (dummy) parties A and B have access to 
an additional “trusted” party that implements A. We may abuse notation and call the trusted party T too. 
Basically A and B invoke IF with their inputs, and then A runs on the inputs and sends the respective outputs 
back to A and B. An execution of LI with an adversary S is similar to our prior description for executing 
a (real-world) protocol, except that IF cannot be corrupted. Likewise, we denote the composed machine of 
A and IT/- as Mj^s- We state the definition in the computational setting; statistical emulation is defined 
analogously. 


Definition 3.3 (C-QSA Realizafion of a Eunctionality). Let T be a poly-time two-party functionality and 
Yl be a poly-time two-party protocol. We say LI computationally quantum-stand-alone realizes T, if LI 
C-QSA emulates Ll/-. Namely, for any poly-time A, there is a poly-time S such that Mu,A ^qc Mjr g. 


It is conventional to use EXECu,a,z •= {^{{Mu,a ® lL(R))(^n))}H6N to denote the binary output 
distribution ensemble of Z that runs on the output state of an execution of LI and A with input (1”,(7„). 
Likewise, IDEAEjs,z •= {^{{.Mj^s ® lL(R))(t^n))}n6N denotes the binary output distribution en¬ 
semble of Z in an execution of the ideal-world protocol LI/-. Definition 3.3 can be restated as requiring 
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Figure 2: Quantum Stand-alone Realization of a functionality. 


that for any poly-time A there exists a poly-time S such that, for any poly-time Z and state cr„, we have 

EXECn,A,2 ~ IDEAL^,5,2 . 

Types of Attack. Typically, we need to speak of security against a specific class of adversaries. We have 
distinguished two classes of adversaries according to their computational complexity, i.e., poly-time vs. 
unbounded time. We also categorize adversaries according to how they corrupt the parties and how they 
deviate from the honest behavior defined by the protocol. The standard two types of corruptions considered 
in the literature are sialic vs. adaptive corruptions. Under static corruption, the identities of corrupted 
parties are determined before protocol starts. In contrast, adaptive corruption allows an adversary to change 
the party to corrupt adaptively during the execution. This work only concerns static corruption. 

In terms of what dishonest behaviors are permitted for an adversary, again two classes are considered 
standard in the literature: semi-honesl (a.k.a. passive or honesl-bul-curious) and malicious (a.k.a. active). 
A semi-honest adversary, after corrupting a party, still follows the party’s circuit, except that in the end it 
processes the output and the state of the party. A malicious adversary, however, can substitute any circuit 
for the corrupted party. In the definitions of the protocol emulation, unless otherwise specified, the two 
adversaries in the real-world and ideal-world must belong to the same class. For example, if A is semi- 
honest, S must also be semi-honest. 

These notions of different classes of adversaries naturally extend to quantum adversaries, except for one 
subtlety in defining semi-honesf quantum adversaries. There are two possible definitions. One definition, 
which may be referred to as the Lo-Chau-Mayers semi-honest model ll52l[56l . allows A to run the circuit 
of the corrupted party, which is specified by the protocol, coherenlly. Namely A purifies the circuit of 
corrupted party so that all operations are unitary. For example, instead of measuring a quantum state, the 
register is “copied” by a CNOT operation to an ancillary register. Another definition forces the adversary 
to exactly faithfully follow the corrupted party’s circuit during the protocol execution, so that any quantum 
measurement occurs instantaneously and possibly destructively. In other words, in the second model, a semi- 
honest quantum adversary A only corrupts a party at the end of the protocol execution, and then processes 
the internal state and transcript that the corrupted party holds. This second model is generally weaker than 
the first, in the sense that the adversary is more restricted. In this paper, we focus on the second of these two 
notions. 

3.1.2 Modular Composition Theorem 

It is common practice in the design of large protocols to divide a task into several subtasks. We first realize 
each subtask, and then use these modules as building blocks (subroutines) to realize the initial task. In this 
section, we show that our definition allows such modular design. 

Composition Operation. Let Id be a protocol that uses another protocol F as a subroutine, and let F' be 
a protocol that QSA emulates F. We define fhe composed protocol, denoted , to be the protocol in 
which each invocation of F is replaced by an invocation of F'. We allow multiple calls to a subroutine and 
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also using multiple subroutines in a protocol El. However, we require that at any point, only one subroutine 
call be in progress; that is, we handle sequential composition. This is weaker than the “network” setting, 
where many instances and subroutines may be executed concurrently. 

We can show that our quantum stand-alone model admits a modular composition theorem. 

Theorem 3.4 (Modular Composition: General Statement). Let IT, T and T' be two-party protocols such that 
V C-QSA (resp. S-QSA) emulates T, then C-QSA (resp. S-QSA) emulates IT. 

The proof can be found in Appendix Here we discuss an important type of protocol where the com¬ 
position theorem is especially useful. 

Protocols in a Hybrid Model. We next define a hybrid model, in which the parties can make calls to an 
ideal-world protocol tig of some functionality ^ We call such a protocol a G-hybrid protocol, and denote 
it n^. The execution of a hybrid-protocol in the presence of an adversary A proceeds in the usual way. 

Now assume that we have a protocol T that realizes G and we have designed a ^-hybrid protocol TI^ re¬ 
alizing another functionality A. Then the composition theorem allows us to treat sub-protocols as equivalent 
to their ideal versions when analyzing security of a high-level protocol. 

Corollary 3.5 (Modular Composition: Realizing Functionalities). Let IF and G be poly-time functionalities. 
Let be a ^-hybrid protocol that C-QSA (resp. S-QSA) realizes A, and L be a protocol that C-QSA (resp. 
S-QSA) realizes G, then C-QSA (resp. S-QSA) realizes A. 
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Figure 3: Illustration of modular composition theorem: the general case (left) and in hybrid model (right). 


3.1.3 Variants of Quantum Stand-Alone Models: A Unified Framework 

When defining a security model, there are lots of choices qualifying and quantifying the power of the adver¬ 
saries to account for various security requirements. Here we provide an abstract stand-alone model for both 
classical and quantum cryptographic protocols, illustrated in Figure]^ which contains three natural choices 
for the adversaries which we think are essential. This abstract model captures all existing stand-alone se¬ 
curity models (including ours) and this allows for a unified sfudy of, and comparison among, these models. 
The relationship between these models may be interesting beyond the study of SFE. 

The model contains an environment Z and a protocol. Depending on whether the protocol is in real or 
ideal world, we have the honest party, the (real-or ideal-world) adversary and possibly the trusted party. Here 
we think of the environment as two separate machines: Zi, which we may call an input sampler, prepares 
inputs to the players; and Z 2 that receives outputs and makes the decision. Now we consider the following 
choices: 

^In contrast, we call it the plain model if no such trusted set-ups are available. 
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Figure 4: Possible choices in defining a security model 


(a) Does Z\, the input sampler, have a quantum advice auxil In other words, do we allow arbitrary input 
states or only states that can be generated efficiently? 

(b) Does Z 2 , which is essentially a distinguisher, take quantum advice aux 2 ^ 

(c) Does Zi pass a state to 2^2? Namely, does the environment keep state during the execution? 


Notice that positive answers potentially give more power to the adversaries and thus provides stronger 
security guarantee. Also note that all machines are always allowed to take classical advice. We may denote 
a security model as where the subscripts are from {auxi, auxi, aux 2 , aux 2 , state, state} indicating 

each of the choices made for the model. For example Mauxi,mx^,state corresponds to the model that Zi gets 
quantum advice; Z 2 takes no quantum advice and Zi passes state to Z 2 -this exactly leads to our model in 
Def. 3.1 Similarly, M.auxi,aux2,state is the model where Zi and Z 2 both take quantum advice, and there is 


state passing from Zi to Z 2 . 

We say two models A4 and M.' are equivalent if for any two protocols FI and F, it holds that FI emulates 
F in A4 if and only if FI emulates F in A4'. It is conceivable that some of the 2^ = 8 combinations collapse 
to the same model. For example, if all players are classical circuits, then all eight models M..,.,. collapse. 
This is because classical (non-uniform) machines can only measure a quantum state in computational basis 
to obtain a classical string from a certain distribution. But a classical circuit can be hardwired with any 
classical string, and so (quantum) advice gives no extra power to a classical circuit. Passing state likewise 
becomes vacuous. 

When we consider an adversary and environment consisting of quantum circuits, the situation becomes 
generally more complicated. We can observe that choice (b) becomes irrelevant once we permit arbitrary in¬ 
put state and state passing (i.e., Mauxi,aux 2 ,state = MauxiM^,state)- We conjecture that state passing makes 
no difference either. If this is indeed true, then all the variants collapse when Zi takes quantum advice. 
On the other hand, if Zi takes no advice (i.e. only efficiently generated input states are allowed), we are 
left with two variants M.mx{,aux 2 ,- The relationship between these two models is closely 


? 

related to the fundamental question in quantum complexity theory regarding BQP/poly = BQP/qpoly. 
We leave further investigations as future work. In Appendix we discuss another variant that appears in 
the literature Il27ll3^ . in which Zi may only generate input states of a special form. We show that this does 
not change the model in the case that Zi takes quantum advice. 


3.2 Quantum UC Model: An Overview 

So far, our security model falls into the stand-alone setting, where protocols are assumed to be executed 
in isolation. However, in practice we often encounter a network setting, where many protocols are running 
concurrently. A protocol proven secure according to a stand-alone security definition ensures nothing if we 
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run it in a network environment. In view of this issue, Canetti ifl^ proposed the (classical) Universally Com- 
posable (UC) security model. It differs from the stand-alone definition of security in that the environment 
is allowed to be interactive: during the execution of the protocol, the environment may provide inputs and 
receive the outputs of the honest players, and exchange arbitrary messages with the adversary. In contrast, 
the environment in the stand-alone model runs only at the end of the protocol execution (and, implicitly, 
before the protocol starts, to prepare the inputs to all parties). UC-secure protocols enjoy a property called 
general (or universal) compositioi^ loosely speaking, the protocol remains secure even if it is run concur¬ 
rently with an unbounded number of other arbitrary protocols (whereas proofs of security in the stand-alone 
model only guarantee security when only a single protocol at a time is running). 

Earlier work on defining UC security and proving universal composition in the quantum setting appears 
in 01671. We will adapt the somewhat simpler formalism of Unruh ll68l . 

Modulo a small change in Unruh’s model (quantum advice, discussed below), our stand-alone model is 
exactly the restriction of Unruh’s model to a non-interactive environment, that is one which is idle from the 
start to the finish of the protocol. The only apparent difference is that in the UC model, the environment 
runs for some time before the protocol starts to prepare inputs, while in Section 3.1 we simply quantify over 
all joint states a of the honest players’ and adversary’s inputs. This difference is only cosmetic, though: the 
state a can be taken to be the joint state of the outputs and internal memory of the environment at the time 
the protocol begins. 

We make one change to Unruh’s model in order to be consistent with our earlier definitions and the 
work of Watrous on zero-knowledge 117211 : we allow the environment to take quantum advice, rather than 
only classical advice. In the language of 16^ p. 11], we change the initialization phase of a network ex¬ 
ecution to create a state p G P('Hn) which equals the classical string |(e, environment, e)) in 
(instead of | (e, environment, z))), and an arbitrary state a in (instead of |e)). Here e denotes the 

empty string. Moreover, we change the definition of indistinguishable networks ll^ p. 12] to quantify over 
all states a instead of all classical strings z. This change is not significant for statistical security, since an 
unbounded adversary may reconstruct a quantum advice state from a (exponentially long) classical descrip¬ 
tion. However, it may be significant for polynomial-time adversaries: it is not known how much quantum 
advice affects the power of, say BQP, relative to classical advice. For completeness, we state this modified 
definition of quantum UC security below. 


Definition 3.6 (Computationally Quantum-UC Emulation). Let Id and T be two-party protocols. 'We say Id 
computationally quantum-UC (C-QUC) emulates T, if for any poly-time QIM A, there is a poly-time QIM 
S such that Mn,.A ^qd Adr ,5 (as per Def 2.51. 


Here Mn,.A (and Mr,yi likewise) denotes the composed system of dd and A, which can be viewed 
as a QIM. Its network register consists of part of the adversary’s network register, and is used for ex¬ 
ternal communication with another party (e.g., an environment). Alternatively, define EXECn,. 4 ,.z := 
{{Z{an),Mii,A))nen,a„eD{'Hn) and EXECj-,^,^ := {{Z{an),Mi,s)}nen,<TneD('Hny We can rephrase fhe 
condition as “/or any poly-time QIM A, there is a poly-time QIM S, such that for any poly-time QIM Z, 

EXECn,A^ ~ EXECr,5,^-” 

If we allow A and Z to be unbounded machines, i.e., we require that Mn,yt ^qsi Adr, 5 , then we 
get the notion of statistically quantum-UC (S-QUC) emulation. As suggested in Il43ll . we can also use 
the II • ||or norm on strategies to define it. Namely, we require that for any A there exists S such that 
||'Mn,yi — Mr,5||or < negl(n). 

General (Concurrent) Composition. The most striking feature of UC model is that it admits a very general 

^There is a distinction between UC security (a definition that may be satisfied by a specific protocol and ideal functionality) and 
universal composition (a property of the class of protocols that satisfy a security definition). Not all definitions that admit universal 
composition theorems are equivalent to UC security. See muni for discussion. 
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form of composition, concurrent compositioij^ Specifically, consider a protocol El that makes subroutine 
calls to a protocol F. In contrast to the stand-alone setting, we now allow multiple instances of F running 
concurrently. (For a formal description of general composition operation, see Canetti ifTSl .l As before, we 
write to denote the protocol obtained by FI by substituting F' for subroutine calls to F. 

Our modifications of Unruh’s definition do not affect the validity of the universal composition theorem: 

Theorem 3.7 (Quantum UC Composition Theorem (Unruh ll68Tl ll. Let FI, F and F' be poly-time protocols. 
Assume that T quantum-UC emulates V. ThenTl^^^ quantum-UC emulates Yl. 

There is another useful property that simplifies the proof of UC emulation. In both classical and quantum 
UC models, it suffices to consider a special adversary, which is called the dummy adversary Adummy The 
dummy adversary Adummy just forwards messages between a protocol and an environment and leaves any 
further processing to the environment. Here we only restate the completeness of dummy adversary in the 
quantum setting: 

Theorem 3.8 (Completeness of the dummy adversary (Unruh ll6^ Femma 12])). Assume that IT quantum- 
UC emulates F with respect to the dummy adversary (i.e., instead of quantifying over all adversaries, we 
fix A := Adummy)- Then Id quantum-UC emulates F. This holds both for computational and statistical 
settings. 


4 Classical Protocols with Quantum Security 

This section studies what classical protocols remain secure against quantum attacks in the computational 
setting. Fet be a classical two-party poly-time functionality. For technical reasons, IF needs to be well- 
formed. See |[T^ [T5l for a formal definition and discussions. Throughout this paper, we only consider 
well-formed functionalities as well. Classically, there are two important families of secure protocols: 

• Stand-alone secure computation ||38l: Assuming the existence of enhanced trapdoor permutations, 
there exists poly-time protocols that computationally stand-alone emulates F. 

• Universal-composable secure computation ifTSl : Assuming the existence of enhanced trapdoor per¬ 
mutations, there exists protocols in the J^zK-hybrid model that computationally UC emulates F. 


Our main result shows that these general feasibility results largely remain unchanged against quantum 
attacks: 


Theorem (Informal). For any classical two-party functionality F, there exists a classical protocol n that 
quantum computationally stand-alone emulates F, under suitable quantum-resistant computational as¬ 
sumptions. 


The proof of the theorem can be broken into two parts. First we show a quantum analogue of ifTSl 
Namely, there exist functionalities, such as Fzk, that are as powerful as to realizing any 


in Section 4.1 


other functionalities based on them, even with respect to computationally quantum-UC security. To achieve 


this, we develop a framework called simple hybrid arguments in Sect 4.1.1 to capture a large family of 
classical security analyses that go through against quantum adversaries. As a result, it amounts to design a 
(stand-alone) secure protocol for Fzk, which is the content of Section |4j2| We stress that security of existing 
protocols for Fzk relies on a sophisticated rewinding argument, and it is not clear if the arguments are still 
valid against quantum adversaries. Hence we need new ideas to get around this difficulty. 


^People often refer to this type of composition as UC composition, presumably because security in the UC model implies 
generally concurrent composition. This should not cause any further confusion. 
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4.1 Basing Quantum UC Secure Computation on J^zk 

We show here that Tzy. is sufficient for UC secure computation of any two-party functionality against any 
computational bounded quantum adversaries. That is, for any well-formed functionalities T, there exists an 
J^zK-hybrid protocol that C-QUC emulates T. We stress that these protocols are all classical, which can be 
implemented efficiently with classical communication and computation devices. 

Theorem 4.1. Let J- be a two-party functionality. Under Assumptions^and^ there exists a classical J-zk- 
hybrid protocol that C-QUC emulates T in the presence of polynomial-time malicious quantum adversaries 
with static corruption. 

Assumption 1. There exists a classical pseudorandom generator secure against any poly-time quantum 
distinguishes 

Based on this assumption and the construction of ||60l, we can obtain a statistically binding and quantum 
computationally hiding commitment scheme TTcom- All commitment schemes we use afterwards refer to this 
one. This assumption also suffices for Watrous’s ZK proof system for any NP-language against quantum 
attacks. 

Assumption 2. There exists a dense classical public-key crypto-system that is IND-CPA (chosen-plaintext 
attack) secure against quantum distinguishers. 

A public-key crypto-system is dense if a valid public key is indistinguishable in quantum poly-time 
from a uniformly random string of the same length. Although it is likely that standard reductions would 
show that Assumption implies Assumption [T] we chose to keep the assumptions separate because the 
instantiation one would normally use of the pseudorandom generator would not be related to the public-key 
system (instead, it would typically be based on a symmetric-key block or stream cipher). Both assumptions 
hold, for instance, assuming the hardness of leaning with errors (LWE) problem ||64]| . 

4.1.1 Simple Hybrid Argument. 

Our analysis is based on a new abstraction called a simple hybrid argument (SHA). It captures a family of 
classical security arguments in the UC model which remains valid in the quantum setting (as long as the 
underlying primitives are secure against quantum adversaries). 

Definition 4.2 (Simply related machines). We say two QIMs Ma and M}, are {t, £)-simply related if there is 
a time-t QTM M and a pair of classical distributions {Da, Df) such that 

(a) M{Da) = Ma (for two QIMs Ni and N 2 , we say Ni = N 2 if the two machines behave identically on 
all inputs, that is, if they can be described by the same circuits), 

(b) M{Dh) = Mh, and 

(C) Da Dfc. 

Example 1. Figure [^illustrates a pair of simply related machines. 

Lemma 4.3. If two machines Ma and M}, are {t,e)-simply related, then Ma Mb, i.e., they are (f, e)- 
interactively indistinguishable (as per Definitional^. 

Proof. By definition, Ma = M{Da) and Mb = M{Di,). If there is a with quantum advice a that 
distinguishes Ma and Mb with advantage e' > e in time f, we can construct a time-2f distinguisher D for Da 
and Db with advantage e' as well. This contradicts Da Dj,. Distinguisher D works by taking an input 
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Figure 5: Two simply related machines: Ma is machine M on input a chosen uniformly at random; Mj, is 
machine M on input a pseudorandom string PG(r). 

sample d from either Da or Df,, simulates {Z{cr),M{d)), and outputs whatever Z outputs. Obviously, D 
runs in time at most 2t and distinguishes Da and Dj, with the same advantage that Z distinguishes Ma and 
Mfc. Thus we conclude | Fr{{Z{o'), Ma) = 1) — Fr{{Z{cr), Mi^) = 1)| < £ for any time-f environment 
Z. □ 

Definition 4.4 (Simple hybrid argument). Two machines Mq and Mi are related by a (f, £)-simple hybrid 
argument of length £ if there is a sequence of intermediate machines Mi, M 2 ,M^-i such that each 
adjacent pair M;_i, M, of machines, i = 1,... is {t, j)-simply related. 

Lemma 4.5. For any t, e and I, if two machines are related by a [t, £.)-simple hybrid argument of length i, 
then the machines are {t, e)-interactively indistinguishable. 

Proof. This is by a standard hybrid argument. Suppose, for contradiction, there exists a time-f machine Z 
with advice a such that 


I Pr((Z(t7),Mo) = 1) - Vr{{Z{a),Mi) = 1)| > e . 

Then by triangle inequality we can infer that there must exist some i such that 

|Pr((Z(c7),M,) = 1)-Pr((Z((7),M;+i) = 1)1 > £/M 

However, by assumption M; and M,+i are (f, |)-simply related and in particular no time-f machines can 
distinguish them with advantage greater than e/£. □ 

4.1.2 Lifting CLOS to Quantum LFC Security. 

Now we apply our simple hybrid argument framework to analyze the protocol in CLOS. We first review the 
structure of the construction of CLOS in the static setting: 

(a) Let be a two-party functionality. Design a protocol n that computationally (classical) UC (C-CUC) 
emulates T against semi-honest adversaries. The protocol uses a semi-honest oblivious transfer 
(ShOT) protocol, which can be constructed assuming existence of enhanced trapdoor permutations. 

(b) Let jFcp be the “commit-and-prove” functionality of |[T5l Figure 8]. A protocol is constructed in 
J^zK-hybrid model that C-CUC emulates J^cp. assuming existence of a statistically binding and com¬ 
putationally hiding commitment scheme. Such a commitment scheme in turn can be constructed from 
a pseudorandom generator 1601 . 
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(c) In J^cp-hybrid model, a generic complier COMP is designed. Let n' = C0MP(7r) be tbe J^cp-bybrid 
protocol after compilation. It is shown in ifTSl Proposition 8.1] that: for every classical adver¬ 
sary A!, there exists a classical adversary A with running time polynomial in that of A' such that 

That is, tbe interaction of A' with bonest players running n' is identical 
to tbe interaction of A with n in tbe semi-bonest model, i.e., 

It then follows that, by tbe UC composition theorem, n' C-CUC emulates in the J^zK-hybrid model. 

We then show how to make the construction secure against quantum adversaries using proper quantum- 
resistant assumptions. The key observation is that the security proofs of the semi-honest protocol and of 
the Tc? protocol in the J^zk- hybrid model fall into our simple hybrid argument framework. Thus once we 
augment the computational assumptions to be quantum-resistant, they immediately become secure against 
quantum adversaries. This is stated more precisely below. 

Observation 4.6 (CLOS proof structure). In CLOS, the security proofs for the semi-honest protocol and 
the protocol for J^cp in J^zK-hybrid model against static adversaries consist of simple hybrid arguments with 
t = poly{n) and e = negl(n). 

Moreover, the underlying indistinguishable distributions in the CLOS arguments consist of either (/) switch¬ 
ing between a real public key and a uniformly random string, (//) changing the plaintext of an encryption, or 
(Hi) changing the message in the commit phase of a commitment protocol. 

From this observation, we get the corollary below. 

Corollary 4.7 (CLOS—simple hybrids). (a) In the J^zK-hybrid model and under Assumption[^ there is a 

non-trivial protocol that UC-emulates IFcp in the presence of polynomial-time malicious static quan¬ 
tum adversaries. 


(b) Let be a well-formed two-party functionality. In the plain model, there is a protocol that UC- 
emulates IF in the presence of polynomial-time semi-honest static quantum adversaries under As¬ 
sumption!^ 


Proof Observation |4.6| tells us there are two types of proofs in CLOS, so we only have to show both can 
be augmented to hold against quantum adversaries. On the one hand, simple hybrid arguments in CLOS 
still hold if we make assumptions [T] and because the underlying distributions in these hybrid experiments 
will remain indistinguishable against quantum distinguishers. On the other hand, we know quantum UC 


composition also holds by Theorem 3.7 

More specifically, for the J^cp protocol in J^zK-hybrid model, the simply hybrid machines in its proof 
are related by switching the messages being committed. Hence J^cp protocol remains secure against ma¬ 
licious static quantum adversaries under Assumption [T] In the semi-honest setting, an OT protocol can be 
constructed from a dense crypto-system (Assumption!^, see Goldreich |[37l . Its proof consists of simply 
related machines that are related by either switching between a valid public key and a random string (when 
sender is corrupted) or switching the plaintext of an encryption (when receiver is corrupted). Therefore, 
this protocol C-QUC emulates against semi-honest quantum adversaries. Next in J^ox-hybrid model, 
the construction for an arbitrary T is unconditionally secure, which, by Unruh’s lifting theorem, remains 
quantum-UC secure. Hence quantum UC composition theorem gives that there is a classical protocol that 
C-QUC emulates T in the presence of semi-honest static quantum adversaries. □ 


Combining the previous arguments we can prove Theorem 4.1 


Proof of Theorem ^~J\ Fix a well-formed functionality T and let n be the protocol for T in the semi-honest 
model guaranteed by the second part of Corollary |4^ Now consider n' = COMP ( tt) . We want to show that it 
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C-QUC emulates T. Theorem 3.8 tells us that it suffices to consider the classical dummy adversary Adummy 
By ifTSl Proposition 8.1], the interaction of the dummy adversary Adummy with tt' (in the Acp hybrid model) 
is identical to the interaction of the adversary A with tt (in the semi-honest model). By the security of n in 
the semi-honest model, there exists an ideal-world adversary S such that 

Thus, n' securely emulates A in the J^cp-hybrid model against malicious adversaries. By the quantum 
UC composition theorem, we can compose n' with the protocol for Acp to get a protocol secure against 
malicious quantum adversaries in the J^zK-hybrid model. □ 


4.2 Realizing J'zk with Stand-alone Security 

In this section, we construct a protocol TIzk that quantum stand-alone emulates Azk- In the stand-alone 
model, J^zK is more commonly referred to as zero-knowledge argument of knowledge. 

We will use a dense encryption scheme £ = (Gen, Enc, Dec) as in Assumption Note that Enc 
is a randomized algorithm and we denote by EnCpk{ni,r) the encryption of a message m under a public 
key pk using randomness r, But unless when needed, we usually omit the randomness in the notation and 
write EnCpic(m). We will also need a result of Watrous’s ITtDI . where he showed that there exist classical 
zero-knowledge proofs for any NP language that are secure against any poly-time quantum verifiers. For 
complefeness we give his definifion (adapfed fo our ferminology) of quanfum compufafional zero-knowledge 
proof Definifion 7]. 

Definition 4.8. An interactive proof system {P, V)for a language L is quanfum compufafional zero-knowledge 
if for every poly-time QIM V, there exists a poly-time QIM Sy/ that satisfies the following requirements. 


(a) The verifier V and simulator Sy/ agree on the polynomially bounded functions q and r that specify 
the number of auxiliary input qubits and output qubits, respectively. 

(b) Let M(^pyi^x) machine describing that interaction between V and P on input x, and let 

^S,//(x) simulator’s machine on input x. Then the ensembles : x E L} and 


: X E L} are quantum computationally indistinguishable as per Definition 


2.3. 


Now fhaf we have all building blocks ready, our consfrucfion of a classical ZKAoK profocol is as follows. 
Theorem 4.9. Protocol TIzk quantum stand-alone-emulates J-zk- 


The full proof appears in Seel. 4.2.1 We provide a brief and infuifive jusfificafion here. Roughly 


speaking. Phase 1 consfilules whaf may be called a “semi-simulafable” coin-flipping protocol. Specifically 
we can simulate a corrupted Proven This implies fhaf a simulafor S can “cheaf” in Phase 1 and force fhe 
oufcome fo be a public key pk of which he knows a corresponding secref key sk, so fhaf S can decrypf e 
to recover w in fhe end. This allows us fo show argumenf of knowledge (in our sfand-alone model). On 
the other side, although generally we cannot simulate a corrupted verifier in Phase 1, we can guarantee 
that the outcome pk is uniformly random if the verifier behaves honestly. This is good enough to show 
zero-knowledge, because we can later encrypt an all-zero string and use the simulator for the ZK protocol 
in Phase 2 to produce a fake proof. In reality, a corrupted verifier may bias the coin-flipping outcome by 
aborting dependent on Prover’s message b for example. This technical subtlety, nonetheless, is not hard to 
deal with. Intuitively the verifier only sees “less” information about the witness if he/she decides to abort in 
Phase 1. 
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ZKAoK Protocol EIzk 

Phase 1 

(a) V chooses a ^ {0,1}” at random, and sends P a commitment of n: c = comm(fl). 

(b) P sends b {0,1}” to V. 

(c) V sends P string a. 

(d) V proves to P that c is indeed a commitment of a using Watrous’s ZK protocol. 

(e) P and V set p/c = fl 0 h and interpret it as a public key. 

Phase 2 

(a) P, holding an instance x and a witness w, encrypts w under pk. Let e = EnCp;t(tf)- P 
sends (x, e) to V. 

(b) P proves to V that e encodes a witness of x using Watrous’s ZK protocol. V accepts if it 
accepts in this ZK protocol. Otherwise it rejects and halts. 


4.2.1 Proof of Theorem |4.9[ Quantum Stand-alone Secure ZKAoK 


For the sake of clarity, we propose a non-interactive notion of simple hybrid argument, analogous to Def. 4.4 
which formalizes a common structure in stand-alone security proofs. 


Definition 4.10 (Simply related non-interactive machines). We say two QTMs Ma and M\, are {t, ej-simply 
related if there is a time-t QTM M and a pair of QTMs {Na, Ni,) such that 

(a) = Ma (for two QTMs Ni and N 2 , we say Ni = N 2 if they can be described by the same 
circuits), 

(b) M^>’ = M},, and 
(C) Na Nb. 

Remark 3. (i) is the machine that gives M oracle access to N. (ii) As a typical example of a pair 
of indistinguishable QTMs, consider Na being a QTM describing a ZK protocol with a (dishonest) veri¬ 
fier, and Nb being a simulator’s machine. Then by definition of a valid simulator, we have Na Nb- 
(hi) Machines {Na, Nb) in the definition also capture pair of indistinguishable classical distributions that are 
efficiently samplable. Namely, we can let Na and Nb be algorithms that sample from distributions Da and 
Db respectively. 


Definition 4.11 (Simple hybrid argument (non-interactive version)). Two machines Mq and are related 
by a {t, e)-simple hybrid argument of length £ if there is a sequence of intermediate machines Mi, M 2 ,..., M^.^i 
such that each adjacent pair M;_i, M; of machines, i = is {t, j)-simply related. 

Lemma 4.12. For any t, e and I, if two machines are related by a (f, e)-simple hybrid argument of length I, 
then the machines are (t, e)-indistinguishable. 

Proof. Suppose for contradiction, there exists a time-f QTM Z with advice a such that | Pr[2^((Mo 0 
%(R))^n) = 1] ~ Pr[0((M£ 0 11 l(r))( 7„) = 1] I > e. Then by triangle inequality we can infer that there 
must exist some i s.t. | Pr[0((Mi 0 11l(r))( 7„) = 1] — Pr[0((M;+i 0 = 1]| > e/£. However, 
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by assumption M/ and are (t, e/f)-simply related and in particular no time-t QTMs can distinguish 
them with advantage greater than e/ 1. □ 


Remark 4. Actually, the proof of our modular composition can be seen as a simple hybrid argument. 
Specifically in step 3, and Mn ,5 are simply related by and Mr,ytp. 

We now prove Theorem |4^ following the (non-interactive) simply hybrid argument framework. 

Proof of Theorem |?r^ We denote the two ZK proof systems in Phase 1 & 2 by ZKi and ZK 2 respectively. 
The two NP languages, formalized below, are denoted by Li and L 2 respectively. 

Li = {(c,fl) : 3r e {0,1}* s.t. comm(fl, r) = c} 

^2 = {{pk,x,e) : 3zv,r e {0,1}*, s.t. EnCpk{w,r) = e A {x,zv) e Ri} 

The simulators of ZKi and ZK 2 are denoted by Si and S 2 respectively. We stress that Watrous’s ZK pro¬ 
tocol has negligible completeness and soundness errors, and in addition the simulator succeeds for arbitrary 
quantum poly-time verifiers on frue insfances, excepf wifh negligible probabilify. 

Prover is Corrupted. For any real-world adversary A, we consfrucf an ideal-world adversary S. 

Simulator S: Prover is corrupted 
Input: A as a black box; security parameter 1 ". 

1 . S initializes A with whatever input state it receives. 

2. In Phase 1, S does the following: 

(a) Compute c = comm(0”) and send it to A. 

(b) Obtain b G {0, 1}” from A. 

(c) Run Gen(l”) to obtain {pk,sk). Send a = pk ® b to A. 

(d) Run the simulator Si for ZKi with input (c, fl). 

3. In Phase 2, S obtains {x,e) and executes ZK 2 with A. If ZK 2 succeeds, S decrypts e to get 

w = Decsj:(e) and sends to Azk- 

4. S outputs whatever A outputs. 


Let be the QTM of ideal-world interaction between S, J^zk and V; and let {P) describing 

real-world interaction between A and V. 

Lemma 4.13. Mn,,,^(p) 

Proof We define a sequence of machines to form a hybrid argument: 

Now it is easy to see: 

• Mo All. These two QTMs would behave differently only if ZK 2 succeeds but w is not a valid 
witness. Namely A (corrupted prover) has managed to prove a false statement that e encodes a true 
witness. By soundness property of ZK 2 , however, this only occurs with negligible probability. 

• Machines Mi,..., M 4 form a simple hybrid argument. More specifically, each adjacent pair of ma¬ 
chines constitutes simply related machines: 
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Hybrid Machines: relating and 

• Mo := Specifically, on any input state, the output has two parts: one part corre¬ 

sponds to the adversary ^’s output state, and the other corresponds to the dummy verifier’s 
output, which is accepting if w obtained by S in step 3 is a valid witness, i.e., (x, w) G Rl- 

• Ml: differ from Mq only in that Mi always let the dummy verifier accept as long as ZK 2 
succeeds. 

• M 2 : differs from Mi in the message a in Phase 1: instead of sending pk 0 h, in M 2 , 
a ^ { 0 , 1 }” is set to be a uniformly random string. 

• M 3 : in the first step of Phase 1, Ada commits to a instead of committing to 0". 

• M 4 : instead of running simulator Si, M 4 executes the actual ZKi protocol. Observe that 
M 4 = Mn2K,.4(p)- 


- Ml and M 2 are simply related by switching valid public keys to uniformly random strings. 

- M 2 and M 3 are simply related by changing the messages being committed to. 

- M 3 and M 4 are simply related via a pair of indistinguishable QTMs Na and N},, where Na is the 
simulator Si, and Nj, is the machine describing ZKi. 

Thus Mn 2 K,^(P) ^qc □ 

Verifier is Corrupted. We construct ideal world S for any adversary A that corrupts the verifier as follows: 

Simulator S : Verifier is corrupted 
Input: Al as a black box; security parameter 1". 

1 . S initializes A with whatever input state it receives. 

2. Wait till get x from Azk- Then do the following. 

3. In Phase 1, S behave honestly and aborts if A aborts. Let the outcome be pk. 

4. In Phase 2: 

(a) S picks an arbitrary string, say and send e = to A. 

(b) S runs the simulator S 2 for ZK 2 with input {pk, e, x). 

5. S outputs whatever A outputs. 


Let be the QTM of ideal-world interaction between P, A'zk and S ; and let describing 

the real-world interaction between P and A. 

Lemma 4.14. Mn,,,^(y) -qc 

Proof The proof again follows a hybrid argument. We define the following hybrids. 
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Hybrid Machines: relating and 

• Mo := Mn^^^A(v)- 

• Ml: Ml runs the simulator S 2 instead of invoking the actual ZK 2 protocol. 

• M 2 : M 2 encrypts instead of a valid witness za. Observe that M 2 = 


Clearly machines Mq and Mi are simply related via a pair of QTMs Na and Nf,, where is the simula¬ 
tor S 2 , and Nfc is the machine describing ZK 2 . Hence they are quantum computationally indistinguishable. 
Showing indistinguishability of Mi and M 2 slightly deviates from our simple hybrid argument framework. 
We will modify Mi and M 2 to get two machines Mi and M 2 which may run in super-polynomial time. We 
can then show that Mi M^H and that Mi ^qc M 2 implies Mi M 2 . 

Specifically Mi makes one change from Mi: if corrupted verifier aborts during Phase 1, P extracts 
a from c using possibly super-polynomial-time brute-force search. Because the commitment scheme is 
statistically binding, there is a well-defined a with overwhelming probability. In addition, soundness of ZKi 
ensures that a = a except for negligible soundness error. In this way, P still gets pk := a Q) b and we let P 
send EnCpk{w) to the verifier even in case of abort. M 2 is modified similarly. Namely a (super-polynomial¬ 
time) simulator extracts pk and sends EnCp;c(0“’^")) in case of abort. 

Note that Mi and M 2 are simply related by switching the plaintexts, and therefore Mi ^qc M 2 follows 
by our simple hybrid argument framework. Next we claim that if Mi M 2 , then Mi ^qc M 2 - This is 
because that if there exists a distinguisher D that tells apart Mi and M 2 , then one can as well distinguish 
Ml from M 2 by ignoring the ciphertext in case of aborting and then invoking D. 

Therefore we have that Mn^^^^iv) ^qc D 

Finally, we conclude that Theorem|4.9|holds. □ 


4.3 Putting It Together 

Recall the results that we have obtained so far: 


(a) Under Assumptions [T] and for any well-formed two-party functionality J^, ther e is a classical pro¬ 
tocol that quantum-UC emulates in the J^zK-hybrid model. (Theorem |4.l| 

(b) Under Assumption [T] and There exists classical protocol ttzk that C-QSA emulates J^zk- (Theo¬ 
rem |4]9]| 


Applying our modular composition theorem (Theorem |3.4|) to the above, we obtain the main theorem: 


Theorem 4.15. For any well-formed classical two-party functionality J-, there exists a classical protocol 
n that C-QSA realizes J- against malicious static quantum adversaries in the plain model, under Assump¬ 
tions \l}and^ 


® Although the mach ines M are not necessarily poly-time, we can still talk about distinguishing them by poly-time distinguishers 
according to Definition : 


2.3 


If the output register of M exceeds the dimension of the input of the distinguisher, we assume that the 


distinguisher just takes an arbitrary portion that fits. 
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5 Equivalence Between Tzy. and J'cf 


We have seen that J^zk functionality is sufficient to realize any other functionality. It is interesting to find 
out if this holds as well for other functionalities. More generally, we may ask what the relations of different 
functionalities are. In this section, we show that J^zk and J^cf are equivalent in the sense that one can be 
UC-realized from the other. 


Theorem 5.1 (Equivalence between J^zk and Under Assumption there is a constant-round 

protocol that C-QUC emulates J^cf fu the J-zK-hybrid model. 

(b) Under Assumptions^and^ there is a constant-round protocol that C-QUC emulates J-zk in the 
Tcf- hybrid model. 

It is possible to obtain more connections between different functionalities. For example, llTdll gives a ZK 
protocol that statistically UC and hence C-QUC emulates J^zk in the J^coM-hybrid model. On the other hand, 
our Theorem |4. 1 1 implies that J^com can be C-QUC realized in J^zK-hybrid model. Thus J^zk and J^cqm are 
equivalent in the computationally quantum-UC model. See |[3^ for a systematic study of the reducibility 
and characterizing functionalities in the quantum UC model. 


5.1 From J'zk to J'cf 

Theorem |4. 1 1 already implies that Tcf can be C-QUC realized from J^zK-hybrid model. However, that relies 
on the generic construction of CEOS, which is typically not optimal in terms of the number of rounds (i.e., 
round complexity) and the amount of messages exchanged (i.e., communication complexity). Here we give 
a direct reduction which is simple and more efficient. Specifically, we show that the parallel coin-flipping 
protocol of Eindell Il50ll . once executed in J^zK-hybrid model, i.e., the (stand-alone) ZKAoK protocol is 
replaced by the ideal protocol for J^zk> is C-QUC secure. This yields a constant-round protocol for IFcf, and 
we need only Assumption [T] existence of a quantum-secure PRG. The protocol is shown below. 

Coin-Flipping Protocol TI^™ 

1. A chooses a {0,1}” at random, and sends B a commitment of n: c = comm(fl,r). 

2. A proves knowledge of {a,r) using ITzk- 

3. B sends b ^ {0,1}” to A. 

4. A sends B string a. 

5. A proves to B that c is indeed a commitment of a using J^zk- 

6 . A and B set s = fl 0 h as the outcome. 


We give proofs for corrupted A and corrupted B separately. 

Player A is Corrupted. We construct an ideal world S for any adversary A corrupting A. 

Claim 5.2. For any A corrupting A, M^j-zk ^qd 
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Simulator 5: A is corrupted 
Input: A as a black box; security parameter 1” 

1. S initializes A with whatever input state it receives from the environment. 

2. S obtains s from Acf which is chosen uniformly at random s ^ {0,1}”- 

3. S receives a commitment c from A. 

4. A shows knowledge of (a,r) to Azk, which is emulated by S here. S verifies if c = 
comm(fl, r) and aborts if not. This allows S to learn a. 

5. S sends b = a (B s to A. 

6. A sends a to 5. iS aborts if A sends some other string not equal to a. 

7. A needs to prove that c is a valid commitment of a. It sends ((c,a), r) to Azk- S verifies fhem. 
Aborf if verification fails. 

8. \f A aborfs af any poinf, S aborfs Acf. Ofherwise, insfrucf J^cf to send s fo fhe ofher (dummy) 
parly B. 

9. S oulpuls whafever A oulpufs. 


Proof. Because s is chosen uniformly, b = a 0 s is also uniformly random. The adversary musl behave 
identical in fhe real world and fhe ideal world, and fhe fwo machines will look idenlical from fhe perspeclive 
of fhe environment. 

□ 

Player B Is Corrupted. For any real-world adversary A that corrupts B, we construct an ideal-world 
adversary S. 

Claim 5.3. For any A corrupting B, M . ^qd Mtc¥,S- 

Proof. We define an intermediate machine M which behaves differenlly from merely in lhal a 

uniformly random siring a ^ {0,1}” is chosen and sen! lo A in M, insfead of sending a = s ®b. Then 
observe lhal fhe only difference belween M and M a appears in fhe tirsl commilmenl message: M 
commils lo 0” while M a commils lo a. Hence we can claim lhal: 

1 Iqf 

• 5 = M since s is chosen uniformly al random by J^cf and hence s 0 is still uniformly random 
jusl as a in M. Thus Ihe Iwo machines are identical. 

• M ^ttAk a because Ihey are simply related by changing Ihe underlying message of a commil- 
menl. 


□ 


5.2 From J'cf to J'zk 

We conslrucl a classical constant-round protocol for Azk in Ihe J^cF-hybrid model. Our FI^’' protocol uses 
a slandard Iransformalion from a wilness-indislinguishable (WI) proof system in Ihe J^cF-hybrid model. 
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Simulator S: B is corrupted 
Input: ^ as a black box; security parameter 1" 

1 . S initializes A with whatever input state it receives from the environment. 

2. S obtains s from Acf which is chosen uniformly at random s ^ {0,1}". 

3. S computes c = comm(0”) and sends it to A. 

4. S plays the role of Azk and sends c to A. 

5. Obtain b G {0,1}” from A. 

6. S sends a = s ®b to A. 

7. S mimics Azk and sends (c, fl) to 

8. If ^ aborts at any point, S aborts. 

9. S outputs whatever A outputs. 


We give a definition for WI against quantum adversaries and show a repetition theorem analogous to the 
classical setting to amplify the soundness of WI protocols. We also show that Blum’s 3-round ZK protocol 
for Hamiltonian Cycle is in fact quantum-secure WI under suitable assumptions. 

Definition 5.4 (Quantum computationally witness-indistinguishable QC-WI). Let Id = {P, V) be an inter¬ 
active proof (or argument) system for a language L G NP. A/e say Id is quantum computational witness- 
indistinguishable/or Ri, if for any polynomial-time QIM V*, any two collections {wl.}xeL tmd {WxjxeL 
with w'x G Ri{x),i = 1,2, the two machines Mi := {Mjyi v*}xeL cind M 2 ■= {M^2y}xeL quantum 
computationally indistinguishable (i.e., Mi M 2 )- Here M^i y* denotes the composed machine of P 
and V* on instance X, and P uses witness w\. 

We know that classically WI is preserved under parallel repetition when the prover is efficient By 
a similar argument, one can also show that QC-WI protocols remain QC-WI under parallel reception. This 
is useful for reducing the soundness error of a QC-WI protocol. Here we only state this property and skip 
the proof. 

Lemma 5.5 (Parallel composition of QC-WI protocols). Let L G NP and suppose that {P, V) is a QC-WI 
for Ri and P is polynomial time given a witness. Let qf) be a polynomial and let {Pf V‘t) be machines so 
that they invoke {P, V) q-times in parallel. Specifically, on common input {xj : i = 1,... ,q} and (private) 
input {zvi : i = 1,... ,q} to Pf the invocation is (P(m,), V)(x,). Then (PfV^) is QC-VIl for the 
relation 

R\ := {({x; : i = l,...,q},{wi : i = l,...,q}) : fi, {xi,Wi) G Rl} • 


It is easy to see that quantum ZK implies QC-WI. Meanwhile if we use a statistically binding and 
quantum computationally hiding commitment (as the one following Assumption [TJ in Blum’s basic (3- 
round) ZK protocol ifTOll . we can show that the resulting protocol, call it HCq, is quantum ZK using the 
techniques from 11721 . Therefore, we claim that HCq is QC-WI. Using a polynomial number of parallel 
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repetitions of HCg, we have a QC-WI protocol for NP with negligible soundness error which we call Owi 
and will use in later constructions. 

We now construct that quantum-UC emulates Fzk in the J^cF-hybrid model. 

Let L be an NP language and be the corresponding NP-relation. Let PG be a quantum secure 
pseudorandom generator as in Assumptionand let £ = (Gen, Enc, Dec) be an encryption scheme as in 
Assumption]^ We define another relation 

R = {{{x-i,X 2 , pk,e),w)\{w — {w,r) A EnCpk{w,r) = e A {xi,w) G Rl) or (PG(tt)) = X 2 )} . 

It is clear that R is an NP-relation, and thus there is a WI proof for R. The key idea of constructing 
is to exploit the outcome of the coin-flipping in some clever way. We will interpret the coins s as two parts 
(si,S 2 ), where Si = pk will be used as a public key pk for £, and S 2 will sometimes be an output string of 
PG. Our has a simple form then: P and V get s = (si,S 2 ), P sends x and e = EnCsj (w) to V, and 
next they run a WI protocol on {xi = x,X 2 = S 2 , pk = Si,e) using witness w. Intuitively, if the adversary 
A corrupts the verifier V, then S can choose a fake s' = (SpS^) where S 2 is generated by PG with random 
seed r, i.e., S 2 = PG(r). Then it generates an arbitrary ciphertext as e and uses r as a witness in the WI 
proof, and witness-indistinguishability ensures the A can not distinguish from the case where P uses a real 
witness w of x. If the prover is corrupted, S can simply generate {pk,sk) ^ Gen(l") and assign pk as s'^, 
while S 2 is still uniformly chosen. Therefore, whenever A convinces S in the WI protocol, S then decrypts 
(it knows sk) w = DeCs;t( 6 )- However, there is one subtlety. Namely, R has two witnesses, either a real w 
(which is what we really ask for) s.t. {x,w) G Rl or a random seed r s.t. PG(r) = s^. We do not want 
A to be capable of achieving the latter case. This is easy to guarantee though, because we can choose a 
generator PG with sufficient expansion factor, e.g., if PG : {0,1}" -A {0,1}^”. Then given a uniformly 
random 3n-bit string S 2 , the probability that there is a seed r G {0,1}" getting mapped to S 2 is negligible. 
Thus whenever a prover succeeds in WI, it must have proved the statement with respect to Ri rather than 
with respect to PG. The formal description of protocol LI^’' follows. 


UC-secure ZKAoK Protocol LI^’' 

(a) P and V get s = ( 81 , 82 ) G {0,1}” x {0,1}^” from A'cf- 

(b) P sends x and e = Encjj (w, r) to V. 

(c) P and V invoke a WI protocol LIiv/ for relation R with input instance (xi = x,X 2 = 
si, pk = 81 , e). P uses (w,r) as a witness for {xi,X 2 , pk,e). 

(d) V accepts if it accepts in 0 ^ 7 - 


Lemma 5.6. The classical protocol C-QUC emulates J-^k- 

Proof We first deal with the case in which the prover is corrupted. 

Claim 5.7. For any A corrupting the prover, ^qd ^Pzk,S- 

Proof Note that in the ideal world, if (x, w) ^ Ri, the dummy verifier will reject. Define an intermediate 
machine M in which always sends x to the dummy verifier (i.e. it accepts), and M is identical to 
otherwise. M and behave differently only when LIiv/ succeeds but somehow {x,w) ^ R^. This 

however violates the soundness property of LIiv/. Hence Mj s ^qd Then M and M , 1 /n', ^0 
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Simulator S : prover is corrupted 
Input: adversary A ; security parameter 1”. 

(a) S initializes A with whatever input state it receives from the environment. 

(b) S internally generates {pk,sk) Gen(l”) and set = pk. Choose $2 ■<— {0,1}^” 
uniformly at random. Let s' = (s'^,S 2 ) be the fake coins and it is given to A. 

(c) When S receives (x, e) from A, it decrypts e to get w = DeCs;t(s)- 

(d) S runs Llw: with A on input instance (z, s^, 8 ^, 6 ) where S plays the role of a verifier. If 
S accepts in LIw/, it sends (x, w) to Tzk- 

(e) S outputs whatever A outputs. 


simply related by switching between a valid public key and a truly random string. The lemma then follows 
from Assumption]^ □ 

Now we consider the case where A corrupts the verifier. 


Simulator S : verifier is corrupfed 
Inpuf: given adversary A', securify paramefer 1 ”; 

(a) S inifializes A wifh whafever inpuf sfafe if receives from fhe environment. 

(b) Wait till it receives x from Then S internally generates s'^ ^ {0,1}". It also generates 
r {0,1}” and sets = PG(r). Let s' = ( 82 , 82 ) be the fake coins and it is given to A. 

(c) S sends x and e = EnCj/ ( 0 ”) to A and then invokes Llw; with A on input instance 
{x, $ 2 , 8 (, e) . S uses r as a witness. 

(d) S outputs whatever A outputs. 


Claim 5.8. For any A corrupting the verifier, M Tcf S- 

aIzk ^ ' 

Proof. We define a sequence of indistinguishable machines as follows. 

Now we can see fhaf: 

• Mo because fhey simply relafed by changing fhe plainfexf of encrypfion e. 

• Ml ^qci ^2 because Llivi is QC-WI. Ofherwise we can consfrucf a malicious V* such fhaf 
and Mj „2 V* become disfinguishable. 

• M 2 ^qci ^3 because fhey are simply relafed by swifching a pseudorandom sfring fo a uniformly 
random sfring. 

Thus Claim IS^ holds. 

□ 
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• Mo := The ideal-world maehine deseribing P, iS and J^zk as a single interaetive 

maehine. 

• Mi: same as Mq exeept that the eiphertext is ehanged from EnCg/ (0”) to e = EnCg/ (m). 
Here m is a witness for x, i.e., Rl{x, w) = 1. 

• M 2 : identieal to Mi exeept that M 2 uses m as a witness in the Tlw/- 

• M 3 : S 2 is also ehosen uniformly random, rather than pseudorandom. Note M 3 is exaetly 
the real-world maehine M Ai\n- 

1 IzK fA[V ) 


We finally get quantum-UC emulates J^zk- 


□ 
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A Proof of Modular Composition Theorem 

Proof of Theorem [3~?] Eet 14' := 14'^^^^ be the composed protocol. We show the theorem in the computa¬ 
tional setting, and proofs for the statistical and perfect settings are analogous. Specifically, we need to show 
that 

fA 35 : Mn',5 Mu ,a ■ 

Without loss of generality, we assume that 44 only calls E once. The proof will proceed in three steps: 

(a) Erom any adversary A attacking 44', we construct another adversary A^i attacking T'. Notice that T' 
is a subroutine in 44'. Basically Au consists of the segment of the circuits of A during the subroutine 
call of T'. 

(b) By the assumption that T' C-QSA emulates T, we know that V^r'3^r ^ ^r'Ap/ '^qc Mj^Ay- This 
gives us an adversary Aj. 

(c) Einally the adversary S will be constructed by “composing” the machines A and Ay', when 44 makes 
the subroutine call to T, S runs Ay, otherwise it follows the operations of A. Then Mu’, A ^qc A4n,5 
basically follows from My',a^, ^qc My,Ay- 

Next we give the details. 

Step 1 (Constructing Ay' from A). Adversary Ay' represents the segment of A during the subroutine T'. 
It starts with some state that supposedly represents the joint state in an execution of 44' with A right before 
the invocation of T'. It then runs A till completion of T'. 


Adversary Ay' 

Input: adversary A', security parameter 1"; 

(a) Ay' initiates A with whatever input it receives from the environment. It then runs A in the 
execution of T'. 

(b) When T' terminates. Ay' outputs the state on all of ^’s registers. 


Step 2 (Simulating Ay’ by Zlr). This step is straightforward from the hypothesis that T' C-QSA emulates 
r, which means that V^r'^Zlr : Myi,Ap ^wqc My,Ay- 


35 



Step 3 (Constructing S from and A). The construction is as described above. Here we show that 
Mn',yt ^qc Suppose for contradiction that there exists a distinguisher Z and state|^cr„ such that: 


Pr[2:((lL(R) Mu,A){o-n)) = 1] - Pr[Z((lL(R) Mn',5)(t7'n)) - 1] 




with e{n) >1/ poly{n). We show a distinguisher Z and state such that on input an, and 

becomes distinguishable under Z. 

• Let an be the joint state of executing El' in the presence of A on input a„ right before the invocation 
of r'. Clearly it is identical to the joint state of executing IT in the presence of S on input an right 
before the invocation of T. 

• Distinguisher Z runs the circuits of A after execution of the subroutine T' (equivalently the circuits 
of S after execution of the subroutine T) and then runs Z. 


It is easy to see that 


and ^((1 l(r) Mr,^J (d-„)) = Z((1 l(r) Z Mn,s){o-n)), 
where “=” means identical distributions. This implies that 


Pr[^((lL(R) = 1] - Pr[Z((llL(R) ^ Mr,^J(d-„)) = 1] 


> e{n). 


This contradicts the assumption that Mfi^Ap ~< 7 c ^T,At- 

This concludes our proof for the modular composition theorem. 


□ 


B A Special Constraint in Quantum Stand-Alone Model: Markov Condi¬ 
tion 

Another choice exists in the literature Il27ll32ll . where a stand-alone model was proposed to capture secure 
emulation of classical functionalities. Only a special form of inputs is allowed there, which satisfy what 
we call the Markov condition. As opposed to a general bipartite state with one part being classical (a.k.a 
cq-states): Pab = Yla ^a\tt) (fl| ® Pb’ Markov condition requires that the input to dishonest Bob contains 
a classical subsystem Y such that conditioned on Y Bob’s quantum input is independent of Alice’s classical 
input. Such states are denoted as 

Pa^y^b = J2^‘^^b\a){a\AZ\b){b\YZpB- 

a,b 

Now let us analyze how Markov condition affects our abstract model discussed above. It turns out that 
the effect of Markov condition, again, depends on whether Zq takes quantum advice. 

Zi takes quantum advice: Markov condition becomes redundant. We denote models with Markov 
condition A4*. 

Lemma B.l. Ai^nxi,-,- = Aiauxi,-,- regardless of the choices for aux 2 and state passing. Namely, the model 
where inputs must satisfy Markov condition is equivalent to the model where inputs could be any bipartite 
cq-states. 

^More precisely there exists a family of states 
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Proof. To be concrete, we consider two models Ad := Ad„„^ state ■= _ t - t - The 

same argument applies to other cases. 

One direction is obvious, namely, if a protocol El emulates T in Ad then it automatically holds that El 
emulates E in Ad'. This is because we can think of the Markov condition as specifying a subclass of possible 
Zi allowed in Ad. Now we show the converse by contradiction. Specifically, we prove that if there is an 
adversary A in Ad, and V5, there exist {Z\,Z' 2 ) such that Z^ can distinguish Mu,A Mr, 5 , then in 

model Ad' we construct A', Z'^ and Z'r^ such that no S' that is able to simulate A' . By our hypothesis, there 
is an input state cr„, which can always be written as |fl) (fl|^ Z with A, = 1 such that 

|Pr[Z2(Mn,yt(t7-„)) = 1] -Vr[Z 2 {MY^s{(^n)) = 1]| > l/poly{n) 

holds for any poly-time S. Observe that each summand \a) {a\ a® oi a„ trivially satisfies Markov con¬ 
dition. Since an is a convex combination of \a) (fl|^ Z a^, there must be a d'n = \a) (5|^ Z a^ such that 

|Pr[Z 2 (Mn,.A(^n)) = 1] -Pr[Z2(Mr,5(oO) = 1]| > 1/polyin), 

for any poly-time S. This observation tells us that we can simply let A' := A, Z 2 := Z 2 , and let Z'^ be the 
machine that takes quantum advice {an} and hands a„ to players as input. Then for any poly-time S', 


\Pr[Z' 2 iMu,A'i^n)) = 1] -Pr[Z'(Mr,5'(^n)) = 1]| 

^ |Pr[Z 2 (Mn,. 4 (d-„)) = 1] - Pr[Z2(Mr,5'(^n)) = 1]| > l/poly{n) 

This shows that emulation in Ad' implies emulation in Ad. 


□ 


Zi Takes No Quantum Advice: Markov Condition may Matter. The argument in Lemma B.l does not 
necessarily apply here because previously we could simply give a* to Zi directly as an advice. However, a* 
might be impossible to generate on a poly-time QTM. It is interesting to either construct a concrete example 
to show a separation or otherwise showing a proof of equivalence. We do not have clear insight into the 
Markov condition in this case, and leave the possibility of a separation as an open question. 
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